Hot Topics:

On the offensive in the cyberspace arms race

By James Andrew Lewis, special to The Washington Post

Posted:
10/10/2013 04:24:06 PM MDT

A Leopard 2 A6 combat tank is seen during the annual military exercises held for the media at the Bergen military training grounds on October 2, 2013 near Munster, Germany. (Photo by Philipp Guelland/Getty Images) (Philipp Guelland)

Anyone with a computer and an Internet connection can launch a cyber "attack," even though the skills and tools needed to do real damage are still in short supply. The Internet was not built to be secure and will not become secure anytime soon. Networks are vulnerable. This explains why cyber-espionage and fraud are so easy. Economies depend on the Internet and a growing number of services and devices — factories, electric power plants, airplanes, cars — are connected to it, making it an irresistible target. Crash the computers that run these systems and things stop. Power grids, financial networks, communications, public utilities and transportation systems are all targets for cyberattacks. But truly destructive attacks are hard to pull off.

Cyberattacks can disrupt data and services to sow confusion, cripple networks and computers (including those embedded in weapons systems) and in some instances, destroy machinery. The risks are real, but easily exaggerated, as when a group of defense advisers intoned in a recent report that cyberattacks have "potential consequences similar in some ways to the nuclear threat of the Cold War." Just as early air-power enthusiasts ascribed miraculous qualities to air attacks, expecting them to produce intolerable destruction and rapid victory, the discussion of cyberattacks too easily veers into the realm of science fiction, what one senior Navy officer calls "fairy dust." Sprinkle a little cyber fairy dust on your military problem and it will disappear.

Advertisement

There is no fairy dust when it comes to offensive cyber-capabilities. In the movies, a hacker types wildly on a laptop for a few seconds and turns off a city's lights. In fact, a serious attack can take months to plan, probing the target network and developing code tailored to damage, disrupt or destroy. Attacks have several stages: conducting reconnaissance to identify the target's vulnerabilities, breaking in, delivering the software "payload" and then "triggering" it — all without being detected. The most damaging cyberattacks — such as Stuxnet, which destroyed centrifuges used by the Iranian nuclear program — are still a high art. Only the United States, Britain, China, Russia and Israel possess the necessary skills, but many others want them.

Offensive cyber-capabilities provide real military advantage. This is why most leading military powers are developing them. Publicly available information shows 46 countries with military cyber-programs, and 12 countries acknowledging offensive cyber-capabilities in 2012 (up from four in 2011). Other countries have military programs but don't admit to them.

Unlike the United States, most countries say very little about their military doctrine. Most of them blend war-fighting and covert action in their cyber-war planning. Each nation's plans for offensive cyber-operations reflect their different military strategies. The Russians combine political action with cyber-strikes on command networks and critical infrastructure to cripple opponents at the start of conflict. The Chinese focus on quickly disabling U.S. military systems and have systematically hacked into just about every weapon related to U.S. plans for an "Air-Sea Battle" in Asia. Iran will attack energy infrastructure and considers cyber a way to score against a distant and once-invulnerable foe. North Korea's attacks are driven by its internal politics and dislike of the South.

There have been only a handful of true cyberattacks. Russia and China are hyperactive in cyber-espionage, but are cautious about offensive use and avoid actions that could trigger a violent response. Iran and North Korea are more aggressive and are improving their cyber-capabilities. Iran attacked Saudi Aramco, destroying data on 30,000 hard drives. North Korea did something similar to South Korean banks. The worry is that either country will miscalculate in its use of cyberattacks and stumble into a larger conflict.

Jihadis, anarchists and other non-state actors don't have real cyberattack capabilities. This is not much of a comfort because acquiring attack capabilities is becoming easier. The trend in information technology is commoditization — products get smaller, cheaper and more powerful. Cyberattack is being commoditized and cyber-crime provides innovative tools (such as the one Iran used against Aramco). Jihadis prefer the drama and violence of bombs to cyberattack, but that may change. The Syrian Electronic Army has only basic skills but could use its ties to Russian and Iranian hackers to improve. The global trend is increased capabilities and more attackers.

For the United States, offensive cyber-capabilities provide a new way to attack. The recently leaked Presidential Policy Directive 20 set the rules for "offensive cyber operations." Only the president can approve a cyber-operation likely to result in "significant consequences" that could result in the loss of life or a damaging reaction, although the defense secretary or the head of the U.S. Cyber Command can take independent action in an emergency. The United States could relax the requirement for presidential approval — similar to the presidential authorization needed to use nuclear weapons — as technology improves, but offensive cyber-capabilities are still too new, with too many unknown risks, to let anyone but the president make a decision with potentially profound consequences for the nation.

Using offensive cyber-operations requires deciding between different military goals and priorities. Once you get access to a target network, the first decision is whether to attack or to sit quietly and collect intelligence — because once you attack, you lose the access for spying. The second decision is whether the target is valuable enough to justify using the cyber "weapon" — because once you attack, the opponent can develop countermeasures or fix vulnerabilities, making your weapon "single-use" (no one will fall for Stuxnet again).

There also are potentially tough political decisions. Attacking a "tactical" target could unintentionally result in damage to "strategic" targets hundreds of miles away and expand and escalate the conflict. An attacker may not know what is connected to a target network — one early cyberattack disabled its target along with a broadcast network in a nearby allied country. Attacking a bridge and knocking out a hospital are things to avoid because they run contrary to our rules for warfare and could create enormous political damage.

Someone needs to decide when the benefit of an attack outweighs the loss of intelligence or the political risk, or when a target justifies expending a weapon that might never work again. The inability to predict collateral damage and uncertainty over political effect has made the United States cautious. The Presidential Policy Directive 20 restricts independent action by tactical and operational commanders for this reason. A local commander may not know all the trade-offs or the risks that cyberattack could entail. Until we get better predictive tools, judgments about risk and consequences require decisions that only the top defense officials in Washington can make.

Offensive cyber-operations are an inevitable part of conflict. They are no more likely to go away than are guns or missiles. A new technology appears and is adopted for military use. Soon all advanced militaries have it. If the technology is cheap enough, smaller countries and amateurs will acquire it as well. This has been the pattern for weapons since the start of the Industrial Revolution and it still holds for cyberattacks. Perhaps nations will agree on limits to govern offensive cyber-capabilities — although until this year, there wasn't even international agreement that the laws of armed conflict could apply to cyberattacks — but no one will give them up.

Offensive cyber-operations give the United States a military advantage, but opponents also can carry them out. The nation leads the world in cyber-offense, but its defenses are weak and it is beginning to lag behind other nations. U.S. policy is troublingly incongruent. Strengthening offensive cyber-capabilities is a military program with wide support, but strengthening defensive capabilities runs counter to strongly held ideologies and commercial interests. Our defenses have not kept up in the face of growing foreign capabilities. Cyber-deterrence is a non sequitur — words that people have strung together in lieu of thought — because in cyberspace, a strong offense is not the best defense. We may have the best offensive cyber-capabilities on Earth, but when it comes to defense, the United States depends on the kindness of strangers, because despite years of noisy discussion, if somebody decides to attack us, we are in no way ready to protect ourselves in cyberspace.